From f5ffc4abf33ed91ac4afdfcf59c557522f3a9f89 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Wed, 28 Oct 2020 15:16:06 -0700 Subject: [PATCH] Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+ --- 5212.patch | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++ freeipa.spec | 8 +++++++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 5212.patch diff --git a/5212.patch b/5212.patch new file mode 100644 index 0000000..cc8f64a --- /dev/null +++ b/5212.patch @@ -0,0 +1,56 @@ +From 2695789db45c2e7fe92e53a49521dc22fdffe317 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 28 Oct 2020 10:34:31 -0400 +Subject: [PATCH] New validation efforts in 389-ds-base require that the + backend entry for a database be created before the mapping tree entry. This + enforces that the mapping tree entry (the suffix) actually belongs to an + existing backend. + +For IPA we simply need to reverse the order of the backend vs mapping tree +creation in cainstance.py -> __create_ds_db() + +Fixes: https://pagure.io/freeipa/issue/8558 +--- + ipaserver/install/cainstance.py | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index fca829de094..1c2fab1dffb 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1162,17 +1162,6 @@ def __create_ds_db(self): + backend = 'ipaca' + suffix = DN(('o', 'ipaca')) + +- # replication +- dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) +- entry = api.Backend.ldap2.make_entry( +- dn, +- objectclass=["top", "extensibleObject", "nsMappingTree"], +- cn=[suffix], +- ) +- entry['nsslapd-state'] = ['Backend'] +- entry['nsslapd-backend'] = [backend] +- api.Backend.ldap2.add_entry(entry) +- + # database + dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'), + ('cn', 'config')) +@@ -1184,6 +1173,17 @@ def __create_ds_db(self): + entry['nsslapd-suffix'] = [suffix] + api.Backend.ldap2.add_entry(entry) + ++ # replication ++ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) ++ entry = api.Backend.ldap2.make_entry( ++ dn, ++ objectclass=["top", "extensibleObject", "nsMappingTree"], ++ cn=[suffix], ++ ) ++ entry['nsslapd-state'] = ['Backend'] ++ entry['nsslapd-backend'] = [backend] ++ api.Backend.ldap2.add_entry(entry) ++ + def __setup_replication(self): + repl = replication.CAReplicationManager(self.realm, self.fqdn) + repl.setup_cs_replication(self.master_host) diff --git a/freeipa.spec b/freeipa.spec index 08c93f4..306ebe3 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -161,7 +161,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?dist} +Release: 7%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -171,6 +171,9 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as Patch0: freeipa-4.8.10-systemd-resolved.patch Patch1: freeipa-4.8.10-systemd-resolved-configuration.patch Patch2: freeipa-4.8.10-systemd-resolved-selinux-fixes.patch +# https://github.com/freeipa/freeipa/pull/5212 +# Fix deployment errors with 389-ds-base 1.4.4.6+ +Patch3: 5212.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -1542,6 +1545,9 @@ fi %endif %changelog +* Wed Oct 28 2020 Adam Williamson - 4.8.10-7 +- Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+ + * Tue Oct 13 2020 Alexander Bokovoy - 4.8.10-6 - Handle sshd_config upgrade properly Fixes: rhbz#1887928